Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 5.2.7 Ensure that multifactor authentication is required to access Microsoft Admin Portals

Description

This recommendation ensures that users accessing Microsoft Admin Portals (i.e. Microsoft 365 Admin, Microsoft 365 Defender, Exchange Admin Center, Azure Portal, etc.) are required to use multi-factor authentication (MFA) credentials when logging into an Admin Portal.

Administrative Portals for Microsoft Azure should be secured with a higher level of scrutiny to authenticating mechanisms. Enabling multi-factor authentication is recommended to reduce the potential for abuse of Administrative actions, and to prevent intruders or compromised admin credentials from changing administrative settings.

Remediation

Remediate from Azure Portal

  1. From the Azure Admin Portal dashboard, open Microsoft Entra ID.
  2. Click Security in the Entra ID blade.
  3. Click Conditional Access in the Security blade.
  4. Click Policies in the Conditional Access blade.
  5. Click + New policy.
  6. Enter a name for the policy.
  7. Click the blue text under Users.
  8. Under Include, select All users.
  9. Under Exclude, check Users and groups.
  10. Select users or groups to be exempted from this policy (e.g. break-glass emergency accounts, and non-interactive service accounts) then click the Select button.
  11. Click the blue text under Target resources.
  12. Under Include, click the Select apps radio button.
  13. Click the blue text under Select.
  14. Check the box next to Microsoft Admin Portals then click the Select button.
  15. Click the blue text under Grant.
  16. Under Grant access check the box for Require multifactor authentication then click the Select button.
  17. Before creating, set Enable policy to Report-only.
  18. Click Create.

After testing the policy in report-only mode, update the Enable policy setting from Report-only to On.

Default Value

By default, no Conditional Access policy specifically requires MFA for Microsoft Admin Portals.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_5_2_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_5_2_7 --share

SQL

This control uses a named query:

with distinct_tenant as (
  select
    distinct tenant_id,
    display_name,
    subscription_id,
    _ctx
  from
    azure_tenant
),
conditional_access_policy as (
  select
    tenant_id,
    count(*) as conditional_access_policy_count
  from
    azuread_conditional_access_policy
  where
    users -> 'includeUsers' ? 'All'
    and applications -> 'includeApplications' ? 'MicrosoftAdminPortals'
    and built_in_controls @> '[1]'::jsonb
    and state = 'enabled'
  group
    by tenant_id
)
select
  t.tenant_id as resource,
  case
    when conditional_access_policy_count > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when conditional_access_policy_count > 0 then t.display_name || ' has conditional access policy that requires MFA for All users (or admin roles) when accessing admin portals.'
    else t.display_name || ' does not have a conditional access policy that requires MFA for All users (or admin roles) when accessing admin portals.'
  end as reason,
  t.tenant_id
  
from
  distinct_tenant as t
  left join conditional_access_policy as p on p.tenant_id = t.tenant_id;

Tags

category = Compliance
cis = true
cis_item_id = 5.2.7
cis_level = 2
cis_section_id = 5.2
cis_type = manual
cis_version = v5.0.0
plugin = azure
service = Azure